PAC: Privacy & Security for Mobile Devices
Back to Policy Committee
Introduction
Privacy and Security Mobile Device Good Practices Project Launched ONC’s Office of the Chief Privacy Officer (OCPO), in working with the HHS Office for Civil Rights (OCR), recently launched a Privacy & Security Mobile Device project. The project goal is to develop an effective and practical way to bring awareness and understanding to those in the clinical sector to help them better secure and protect health information while using mobile devices (e.g., laptops, tablets, and smartphones). Building on the existing HHS HIPAA Security Rule - Remote Use Guidance <http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf> , the project is designed to identify privacy and security good practices for mobile devices. Identified good practices and use cases will be communicated in plain, practical, and easy to understand language for health care providers, professionals, and other entities. HHS will be looking for your input. Stay tuned for a public roundtable this Spring. For information about other HHS mHealth activities, please visit the mHealth Initiative website: http://www.hhs.gov/open/initiatives/mhealth/index.html <http://www.hhs.gov/open/initiatives/mhealth/index.html>.
Plan
- Hans/John to create e-mail request to EHR, CIC, Healthcare Devices, CBCC, Security WG, SOA, and Doug Fridsma to get insight into this area.
- Depending on what feedback we receive, narrow or widen feedback from workgroups.
Discussion
- John Moehrke
- I would request that you include:
- Security WG – Basic security and privacy
- CBCC WG – Privacy – Consent Directive CDA template
- SOA WG -- Services Oriented view used by many mobile devices; also include Access Control and Audit Control services
- EHR FM WG – Functional Model that includes Security and Privacy functional capabilities
- My overall my answer is, that mobile devices are not different than any other. Mobile Devices are just more likely to get lost or stolen (for pawn). It is this increased likelihood (of known risks) that needs to be considered. Thus good application design keeps sensitive information off of the device. Since this is a USA domain, it is quite easy to point at NIST who have excellent guidelines on this topic:
- NIST Guidelines on Cell Phone and PDA Security SP800-124.pdf
- NIST Guide to Storage Encryption Technologies for End User Devices SP800-111.pdf
- NIST Recommended Security Controls for Federal Information Systems and Organizations SP800-53-rev3-db
- The policy, methods, and technology used to protect a mobile device is common place in IT security circles. There is little that HL7 should add except where there is deep specifics to Healthcare and specifically HL7 artifacts.
- In the HL7 space, we do encourage a Risk Assessment/Management approach to reasonable applying security technology according to risk Impact and Likelyhood. This is the core of our Security Risk Assessment Cookbook, that which is being included in the fabric of HL7 standards development. Beyond this we do have tools in the HL7 family that are not specific to Mobile devices but are just as applicable: EHR Functional Model that includes security and privacy functionality – with efforts to align with ISO-1441 security functional models; Services for Access Control, and Audit Controls; Role-Based Access Control Permissions Catalog; ConfidentialityCode vocabulary; and Composite Consent Directive (CDA).
- I would request that you include: